root.hints - apparmor access error with Bind from PPA

Timothe Litt litt at acm.org
Fri Jun 4 13:13:28 UTC 2021 

I'm not an apparmor user - but have you looked at the parent directory
permissions?  From what you posted, that would be the logical culprit.

In any case, unless you are using a private root zone, since named has
the root nameserver addresses built-in, the use of root.hint is
unnecessary.  (Even if one or two change addresses before the next
release, as does happen infrequently, once named starts it will ask the
network for the full set.  It only needs one - of the 13 - to bootstrap
itself.)

There is an argument for running your own root server with a copy of the
root zone - but most small operators don't.  Simplifying, it makes sense
if you are "far" from the global root servers, have regular outages that
leave a local region intact, or are very concerned about privacy.  (In
the latter case, qname minimization is likely a better choice.)

It seems that a lot of distributions configure a root.hint out of
habit.  It's actually a step backwards, since unless you have a process
to update root.hint, your copy is likely to end up being older than
named's built-ins...

It's been a while since I looked, but at that time, a 20ish year old
root.hint had only a couple of IPv4 addresses wrong.  (Didn't have many
IPv6.)  root.hint really IS stable - and so, therefore, are the named
built-ins.


Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

On 03-Jun-21 22:45, 3coma3 wrote:
> Dear list:
>
> I've used the PPA at https://launchpad.net/~isc/+archive/ubuntu/bind to
> upgrade
> bind from 9.11.3+dfsg-1ubuntu1.15 (current version for
> bionic-{updates,security}) to 9.16.16-2+ubuntu18.04.1+isc+1
>
> (I was needing to use the validate-except clause and this new version
> supports it)
>
> After the upgrade, attempting to start the named service failed with
> this error:
> Jun  3 22:03:53 top named[19946]: could not configure root hints from
> '/usr/share/dns/root.hints': permission denied
>
> Right below that apparmor logs this:
>
> Jun  3 22:03:53 top kernel: [17981.067014] audit: type=1400
> audit(1622768633.158:559): apparmor="DENIED" operation="open"
> profile="/usr/sbin/named" name="/usr/share/dns/root.hints" pid=19946
> comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=129 ouid=0
>
>
> What's puzzling is that the apparmor profile apparently allows the read
> @ line 36:
>
> find /etc/apparmor.d -type f | xargs grep -n '/usr/share/dns'
> /etc/apparmor.d/usr.sbin.named:36:  /usr/share/dns/root.* r,
>
> dpkg -S /etc/apparmor.d/usr.sbin.named
> bind9: /etc/apparmor.d/usr.sbin.named
>
> apt-cache policy bind9
> bind9:
>   Installed: 1:9.16.16-2+ubuntu18.04.1+isc+1
>   Candidate: 1:9.16.16-2+ubuntu18.04.1+isc+1
>   Version table:
>  *** 1:9.16.16-2+ubuntu18.04.1+isc+1 500
>         500 http://ppa.launchpad.net/isc/bind/ubuntu bionic/main amd64
> Packages
>         100 /var/lib/dpkg/status
>      1:9.11.3+dfsg-1ubuntu1.15 500
>         500 http://mirrors.us.kernel.org/ubuntu bionic-updates/main
> amd64 Packages
>         500 http://security.ubuntu.com/ubuntu bionic-security/main amd64
> Packages
>      1:9.11.3+dfsg-1ubuntu1 500
>         500 http://mirrors.us.kernel.org/ubuntu bionic/main amd64 Packages
>
>
> Although the error appears to not be related to file perms, here's for
> completeness:
>
> ls -la /usr/share/dns
> total 28
> drwxr-xr-x   2 root root    55 dic 13  2019 .
> drwxr-xr-x 457 root root 12288 jun  3 21:44 ..
> -rw-r--r--   1 root root   166 feb  1  2018 root.ds
> -rw-r--r--   1 root root  3315 feb  1  2018 root.hints
> -rw-r--r--   1 root root   864 feb  1  2018 root.key
>
>
> It helped me to find a previous report at
> https://lists.isc.org/pipermail/bind-users/2020-July/103454.html
>
> And then I ended up solving the problem as Brett did there, by copying
> /usr/share/dns to /etc/bind/dns and changing the zone definition.
>
> Still I am reporting this in case it's affecting someone else, and
> because maybe you guys have an idea as to what's going on with apparmor
> here? I'm not very knowledgeable in it and would appreciate any info /
> help to solve the root cause (and maybe learn something).
>
> Thanks in advance
>
>
> full log:
>
> Jun  3 22:03:53 top systemd[1]: Started BIND Domain Name Server.
> Jun  3 22:03:53 top named[19946]: starting BIND 9.16.16-Ubuntu (Stable
> Release) <id:0c314d8>
> Jun  3 22:03:53 top named[19946]: running on Linux x86_64
> 5.6.7-050607-generic #202004230933 SMP Thu Apr 23 09:35:28 UTC 2020
> Jun  3 22:03:53 top named[19946]: built with '--build=x86_64-linux-gnu'
> '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
> '--disable-silent-rules' '
> --libdir=/usr/lib/x86_64-linux-gnu'
> '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
> '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu'
> '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir
> =/' '--enable-threads' '--enable-largefile' '--with-libtool'
> '--enable-shared' '--enable-static' '--with-gost=no'
> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2'
> '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxmin
> ddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
> '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap'
> 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2
> -fdebug-prefix-map=/build/bind9-suAN9q/bind9-9.16.16=. -fstack-protector-s
> trong -Wformat -Werror=format-security -fno-strict-aliasing
> -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE'
> 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now'
> 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
> Jun  3 22:03:53 top named[19946]: running as: named -f -u bind
> Jun  3 22:03:53 top named[19946]: compiled by GCC 7.5.0
> Jun  3 22:03:53 top named[19946]: compiled with OpenSSL version: OpenSSL
> 1.1.1  11 Sep 2018
> Jun  3 22:03:53 top named[19946]: linked to OpenSSL version: OpenSSL
> 1.1.1  11 Sep 2018
> Jun  3 22:03:53 top named[19946]: compiled with libxml2 version: 2.9.4
> Jun  3 22:03:53 top named[19946]: linked to libxml2 version: 20904
> Jun  3 22:03:53 top named[19946]: compiled with json-c version: 0.12.1
> Jun  3 22:03:53 top named[19946]: linked to json-c version: 0.12.1
> Jun  3 22:03:53 top named[19946]: compiled with zlib version: 1.2.11
> Jun  3 22:03:53 top named[19946]: linked to zlib version: 1.2.11
> Jun  3 22:03:53 top named[19946]:
> ----------------------------------------------------
> Jun  3 22:03:53 top named[19946]: BIND 9 is maintained by Internet
> Systems Consortium,
> Jun  3 22:03:53 top named[19946]: Inc. (ISC), a non-profit 501(c)(3)
> public-benefit
> Jun  3 22:03:53 top named[19946]: corporation.  Support and training for
> BIND 9 are
> Jun  3 22:03:53 top named[19946]: available at https://www.isc.org/support
> Jun  3 22:03:53 top named[19946]:
> ----------------------------------------------------
> Jun  3 22:03:53 top named[19946]: adjusted limit on open files from 4096
> to 1048576
> Jun  3 22:03:53 top named[19946]: found 12 CPUs, using 12 worker threads
> Jun  3 22:03:53 top named[19946]: using 12 UDP listeners per interface
> Jun  3 22:03:53 top named[19946]: using up to 21000 sockets
> Jun  3 22:03:53 top named[19946]: loading configuration from
> '/etc/bind/named.conf'
> Jun  3 22:03:53 top named[19946]: reading built-in trust anchors from
> file '/etc/bind/bind.keys'
> Jun  3 22:03:53 top named[19946]: looking for GeoIP2 databases in
> '/usr/share/GeoIP'
> Jun  3 22:03:53 top named[19946]: using default UDP/IPv4 port range:
> [32768, 60999]
> Jun  3 22:03:53 top named[19946]: using default UDP/IPv6 port range:
> [32768, 60999]
> Jun  3 22:03:53 top named[19946]: listening on IPv4 interface lo,
> 127.0.0.1#53
> Jun  3 22:03:53 top named[19946]: generating session key for dynamic DNS
> Jun  3 22:03:53 top named[19946]: sizing zone task pool based on 25 zones
> Jun  3 22:03:53 top named[19946]: could not configure root hints from
> '/usr/share/dns/root.hints': permission denied
> Jun  3 22:03:53 top named[19946]: loading configuration: permission denied
> Jun  3 22:03:53 top named[19946]: exiting (due to fatal error)
> Jun  3 22:03:53 top kernel: [17981.067013] kauditd_printk_skb: 24
> callbacks suppressed
> Jun  3 22:03:53 top kernel: [17981.067014] audit: type=1400
> audit(1622768633.158:559): apparmor="DENIED" operation="open"
> profile="/usr/sbin/named" name="/usr/share/dns/root.hints" pid=19946
> comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=129 ouid=0
> Jun  3 22:03:53 top systemd[1]: named.service: Main process exited,
> code=exited, status=1/FAILURE
> Jun  3 22:03:53 top systemd[1]: named.service: Failed with result
> 'exit-code'.
> Jun  3 22:03:53 top systemd[1]: named.service: Service hold-off time
> over, scheduling restart.
> Jun  3 22:03:53 top systemd[1]: named.service: Scheduled restart job,
> restart counter is at 1.
> Jun  3 22:03:53 top systemd[1]: Stopped BIND Domain Name Server.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210604/b0657c23/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210604/b0657c23/attachment.bin>

More information about the bind-users mailing list